Much of the recent discussion about the problems with the CFAA's tough penalty scheme has revolved around its draconian maximum punishments. While maximums play an important role in criminal sentencing, the actual sentence a defendant will receive depends mostly on the sentencing range recommended in the United States Sentencing Guidelines ("USSG"). The Guidelines are written and updated by the United States Sentencing Commission ("USSC"), an independent agency of the judicial branch created by Congress in 1984, to help judges determine where in the spectrum from no jail time to the maximum a sentence should fall. Once binding on sentencing courts, in 2005 the Supreme Court ruled that were only a recommendation the court was free to disregard. Nonetheless, the vast majority of federal criminal sentences fall within the Guideline range recommended by the USSC. And when it comes to looking at how the Guidelines treat CFAA cases, it's clear why the law needs to be reformed.

How the Guidelines Work

The Guideline range only hinges on two things: the characteristics of the crime committed and the defendant’s criminal history. It plots these two factors on a table. On the Y-Axis is a scale of 1 to 43 that measures the "offense level" or the seriousness of a crime; 1 is the least serious crime; 43 is the most serious crime. On the X-Axis is a scale of I to VI that measure's a defendant's criminal history; I is the least serious criminal history including first offenders; VI is the highest.

At sentencing, the court must first calculate the offense level for the specific statute of conviction. Then, it can apply enhancements for aggravating behavior like choosing an "official victim." Once the court calculates the offense level it then determines the defendant's criminal history. Then, once these two factors have been calculated, the court matches the two numbers on the table, leading to the recommended sentencing range for a particular crime. As any of these two axes increase, so does the length of the sentence. The court can impose a sentence within the range—which can be presumed reasonable on appeal -- or disregard the range and impose whatever sentence it wants up to the maximum.

While the Supreme Court has notedthe Guideline ranges created by the USSC are supposed to be based on "empirical data and national experience," oftentimes they are born out of Congressional directive to the Commission to increase sentencing ranges after Congress increases maximum punishments. That's exactly what Congress did in 2008 (PDF) after it increased the CFAA's maximum penalties and told the USSC it wanted the Guideline ranges for CFAA crimes to be "increased in comparison to those currently provided by such guidelines and policy statements."

The Guideline section that applies to the CFAA is § 2B1.1 which also covers other fraud and theft crimes. The "base offense level," or starting point of the Guideline calculation, depends on the maximum punishment. But unless a defendant is convicted of causing damage to a protected computer that "recklessly causes serious bodily injury" or a repeat violation of some CFAA crimes, the base offense level for CFAA crimes is 6.

At first blush, a CFAA defendant is clearly at the lower end of the sentencing spectrum. For sentences ranges falling in "Zone A," the Guidelines authorize a court to impose probation without any imprisonment. However, the offense levels steadily increase as the Guidelines' myriad number of adjustments and enhancement start to apply.

"Loss," The Infinite Enhancement

After determining the base offense level, § 2B1.1(b) tells the court to calculate the amount of financial loss caused by the crime. "Loss" means the greater of either "actual loss"—the reasonably foreseeable financial harm caused by the crime—or the "intended loss"—the financial harm the defendant intended to cause if not for some obstacle getting in the way. In a fraud or theft case, that generally is the value of the thing taken. But the Guidelines define "loss" much broader for CFAA convictions:

In the case of an offense under 18 U.S.C. § 1030, actual loss includes the following pecuniary harm, regardless of whether such pecuniary harm was reasonably foreseeable: any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other damages incurred because of interruption of service.

Not only does this exclusive CFAA definition and the corresponding sentencing increase lead to excessive sentences compared to other forms of fraud; it also gives prosecutors wide discretion to ratchet potential sentences for defendants who insist on exercising their constitutional right to go to trial.

For example Andrew "Weev" Auernheimer was sentenced to 41 months in prison for exposing a security hole on AT&T's servers that publicly revealed iPad users' email addresses. The court ruled that the "loss" to AT&T in his case was $73,000. But that wasn't the "value" of the email addresses that were taken or the cost of fixing the computers or servers; rather that was how much it cost AT&T to mail a letter to its customers notifying them of the email breach. As Professor Orin Kerr has noted, that loss amount is unreasonable because it had nothing to do with fixing the computers and wasn't a reasonable response to the problem by AT&T since AT&T also sent an email notice of the breach, which had been effective. Yet, that $73,000 loss amount resulted in an 8 level increase to the offense level for Auernheimer. For his co-defendant Daniel Spitler, who pleaded guilty and testified against Auernheimer, prosecutors agreed to a loss amount of $30,000, subjecting him to only a 6 level increase.

In the case of Aaron Swartz, the ability of prosecutors to determine loss resulted in an enormous sentencing exposure swing. Since Swartz didn't "hack" into anything and didn't harm any computers, the sole issue that would determine his possible sentence would be the value of the articles he took from JSTOR. When prosecutors offered Swartz a plea deal that would result in a few months in jail, they were likely calculating the loss to be more than $10,000 but less than $30,000, resulting in only a 4 level increase from in the Guidelines. But according to Swartz's lawyer Elliot Peters, prosecutors also threatened Swartz with a much greater sentence if he went to trial, claiming the amount of loss was $2 million. That would result in a 16 level increase in his Guideline range. Others have speculated that if taken to its logical extreme -- taking 4.8 million articles that cost $19 apiece to download -- the loss could be $91 million, leading to a 24 level increase, bringing his Guideline sentence closer to the maximum punishments bandied about in DOJ's press release.

These wild swings create uncertainty and pressures on defendants to plead guilty. And while that's true in any criminal case, it's amplified with the CFAA since the loss definition is broader than even other federal fraud crimes.

Double (and Triple) Counting Computer Skills

Unfortunately, there's more. Section 2B1.1(b)(10) also calls for a two level increase for using "sophisticated means" to commit the crime. For Auernheimer, that was Spitler's act of running the script that simply modified a number in a public URL. It could easily be the same thing for Swartz, who also allegedly ran a script in order to bulk download the files from JSTOR, despite the fact he actually had permission to access the files, just not with a bulk downloader.

Meanwhile, there's another enhancement that covers the same exact conduct which could also apply. Under § 3B1.3 a defendant who uses a "special skill" to commit a crime faces another two level enhancement, notwithstanding § 2B1.1(b)(10)'s "sophisticated means" increase. A "special skill" is a "a skill not possessed by members of the general public and usually requiring substantial education, training or licensing." The examples given by the USSG are a pilot, lawyer or doctor. DOJ claimed Auernheimer—who again did no "hacking" or script writing—had "special" computer skills that justified the increase. So he received an additional 4 level increase.

Its easy to imagine the same enhancement applying to Swartz too for not only running the script, but also for masking his IP address—a legitimate practice designed to protect anonymity—in order to avoid getting kicked off of MIT's network or JSTOR's servers and leave no trace of who he was or where he was coming from.

The Guidelines allow the same conduct to result in multiple level increases, ultimately resulting in a higher sentence.

Adding It All Together

Auernheimer also received another two level increase under § 2B1.1(b)(11) for transferring a "means of identification," specifically the email addresses. So here's how the Guidelines ultimately worked out for Weev and Swartz on the CFAA counts. Both are in criminal history category I:

Weev

Swartz

Base Offense Level

6

6

Loss

+8 ($73,000)

+16 ($2 million)

"Sophisticated Means"

+2

+2

"Means of Identification

+2

0

"Special Skill"

+2

+2

Adjusted Offense Level

20

26

Guideline Range

33-41 months

63-78 months

Weev and Swartz are in "Zone D" of the table, meaning the Guidelines disqualified them from probation and required a prison sentence. Weev received a sentence at the high end of the Guideline range, 41 months, with some noting his past Internet behavior motivated the higher sentence. And in truth, § 1B1.4 of the Guidelines tell the Court it "may consider, without limitation, any information concerning the background, character and conduct of the defendant" when deciding on the appropriate sentence.

Prosecutors took full advantage of this provision, informing the court of Auernheimer's past behavior, and the court took the bait, holding Weev accountable for actions irrelevant to the criminal sentence and imposing a sentence that was not only at the high end of the Guideline range, but more than other defendants convicted of arguably worse behavior.

Ultimately, the Guidelines are just as much of a problem in CFAA cases as the broad language of the statute and the maximum punishments. We're working hard to reform the CFAA, advocating for the law’s penalties to be proportionate to the wrongdoing they're meant to punish. That means Congress needs to not only change the CFAA's penalty scheme but also must call on the USSC to reexamine how the Guidelines treat the CFAA too. So please join EFF in calling on Congress to fix the CFAA by sending an email to your elected representatives now.

Related Updates

Good news out of a court in San Francisco: a judge just issued an early ruling against LinkedIn’s abuse of the notorious Computer Fraud and Abuse Act (CFAA) to block a competing service from perfectly legal uses of publicly available data on its website. LinkedIn’s behavior is just the...

When McMansion Hell blogger Kate Wagner received Zillow’s letter last month demanding that she take down her architecture parody blog, she was scared. So scared that she temporarily disabled access to her blog via McMansionHell.com until she could find an attorney. We’re happy she found us at EFF...

Update 5:00pm: Zillow has released a statement saying the company has "decided against moving forward with legal action." EFF is pleased that Zillow has withdrawn its threat and won't be seeking to take down any of the posts on McMansion Hell. We hope that other companies seeking to shut...

Washington, D.C.—The Electronic Frontier Foundation (EFF) urged the U.S. Supreme Court to review a ruling that threatens to transform a law against computer break-ins into a mechanism for criminalizing password sharing and policing Internet use. In an amicus brief filed with today, EFF urged the court to weigh...

On January 18, 2012, the Internet went dark. Hundreds of websites went black in protest of the Stop Online Piracy Act (SOPA) and the PROTECT IP Act (PIPA). The bills would have created a “blacklist” of censored websites based on accusations of copyright infringement. SOPA was en route to quietly...

Attorney General nominee Sen. Jeff Sessions is testifying in front of the Senate Judiciary Committee today as part of his confirmation process. EFF has voiced concerns about President-elect Donald Trump’s nomination of Sessions to lead the Justice Department, citing past statements he has made and votes he has cast on...

Laws enacted out of fear, not facts, are a recipe for disaster. That’s what happened with the Computer Fraud and Abuse Act (CFAA)—the federal statute that makes it illegal to break into computer systems to access or alter information. The law’s notoriously vague language has confused courts, chilled...

This weekend you have the chance to add to Aaron Swartz’s legacy by boosting tools for whistleblowers. The 2016 Aaron Swartz International Hackathon—held in honor of the late Internet and political activist—will take place during the day Saturday and Sunday at the Internet Archive in San Francisco. The hackathon...

The Internet has been on fire in recent months over two court decisions that threaten to criminalize password sharing. The law at the heart of the cases is the Computer Fraud and Abuse Act (CFAA), a 1986 statute meant to outlaw computer break-ins. Congress passed the CFAA after...

Should prosecutors have the ability to take advantage of unclear laws to bring charges for behavior far beyond the problem Congress was trying to address? We don’t think so. When not carefully limited, criminal laws give prosecutors too much power to go after innocent individuals for innocuous behavior, like ...